Npcap 0.992 Denial-of-Service (NDIS Wan)

[r0t0tiller]

Description:

When sending a malformed .pcap file with the NDIS Wan adapter results in a Denial-of-Service (BSoD).

Analysis:

When sending a malformed .pcap file with the NDIS Wan adapter using either pcap_sendqueue_queue() or pcap_sendqueue_transmit() results in a Denial-of-Service (BSoD).

Version: npcap 0.992

Tested on: Windows 10 x64

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000005f, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff80c154611aa, address which referenced memory

Debugging Details:
------------------

*** ERROR: Module load completed but symbols could not be loaded for wanarp.sys
*** ERROR: Module load completed but symbols could not be loaded for npcap.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for packet.dll - 

DUMP_CLASS: 1

DUMP_QUALIFIER: 0

BUILD_VERSION_STRING:  17134.1.amd64fre.rs4_release.180410-1804

DUMP_TYPE:  0

BUGCHECK_P1: 5f

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: fffff80c154611aa

WRITE_ADDRESS:  000000000000005f 

CURRENT_IRQL:  2

FAULTING_IP: 
wanarp+11aa
fffff80c`154611aa f0ff4760        lock inc dword ptr [rdi+60h]

CPU_COUNT: 2

CPU_MHZ: c17

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 9e

CPU_STEPPING: 9

CPU_MICROCODE: 6,9e,9,0 (F,M,S,R)  SIG: 9A'00000000 (cache) 9A'00000000 (init)

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  sendcap.exe

ANALYSIS_SESSION_HOST:  DESKTOP-GKGKQ49

ANALYSIS_SESSION_TIME:  04-23-2019 12:43:04.0854

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

TRAP_FRAME:  fffff509580b5cb0 -- (.trap 0xfffff509580b5cb0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffce059e83a3b0 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80c154611aa rsp=fffff509580b5e40 rbp=00000000ffffffff
 r8=fffff509580b5eb8  r9=0000000000000001 r10=fffff80367854180
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
wanarp+0x11aa:
fffff80c`154611aa f0ff4760        lock inc dword ptr [rdi+60h] ds:00000000`00000060=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff803688e73b2 to fffff80368855cd0

STACK_TEXT:  
fffff509`580b53a8 fffff803`688e73b2 : 00000000`0000005f ffffce05`a10af080 fffff509`580b5510 fffff803`687f0640 : nt!DbgBreakPointWithStatus
fffff509`580b53b0 fffff803`688e6bc2 : 00000000`00000003 fffff509`580b5510 fffff803`68861370 00000000`000000d1 : nt!KiBugCheckDebugBreak+0x12
fffff509`580b5410 fffff803`6884e1a7 : 00000000`0000005f fffff803`686fe426 00000000`00000000 fffff509`580b6288 : nt!KeBugCheck2+0x962
fffff509`580b5b30 fffff803`6885ec69 : 00000000`0000000a 00000000`0000005f 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx+0x107
fffff509`580b5b70 fffff803`6885b8e5 : 00000000`00000005 fffff509`580b6010 ffff81c0`e07731a0 00000000`00000000 : nt!KiBugCheckDispatch+0x69
fffff509`580b5cb0 fffff80c`154611aa : 00000000`00000000 00000000`00000002 fffff509`580b6070 00000000`000b8b11 : nt!KiPageFault+0x425
fffff509`580b5e40 fffff80c`126632aa : fffff509`580b5f81 ffffb98d`10000000 ffffce05`a137b080 fffff509`580b6070 : wanarp+0x11aa
fffff509`580b5f10 fffff80c`12688eff : ffffce05`a137b001 00000000`00000000 ffffce05`00000000 ffff81dc`00000001 : ndis!ndisMIndicateNetBufferListsToOpen+0x12a
fffff509`580b5fe0 fffff80c`126ba563 : ffffce05`a126b1a0 fffff803`00000002 ffffce05`a1e9d030 00000000`0000013f : ndis!ndisMTopReceiveNetBufferLists+0x2619f
fffff509`580b60e0 fffff80c`1268b3ce : 00000000`00000002 ffffce05`a1e9d030 00000000`00000001 ffffbe03`6167e908 : ndis!ndisInvokeNextReceiveHandler+0x4b
fffff509`580b61b0 fffff80c`126686df : ffffce05`9eaca010 ffffce05`a1e9d030 ffffce05`00000000 00000000`00000001 : ndis!ndisFilterIndicateReceiveNetBufferLists+0x22cce
fffff509`580b6280 fffff80c`13806ea2 : 00000000`00000003 00000000`00000000 00000000`00000000 ffffce05`a14afc4b : ndis!NdisFIndicateReceiveNetBufferLists+0x3f
fffff509`580b62c0 fffff80c`12663907 : ffffce05`9eaaef20 fffff80c`12661010 fffff80c`13806da0 00000000`00000000 : pacer!PcFilterReceiveNetBufferLists+0x102
fffff509`580b6340 fffff80c`1266104e : ffffce05`a10af080 00000000`00000000 fffff509`580b1000 fffff509`580b8000 : ndis!ndisCallReceiveHandler+0x47
fffff509`580b6390 fffff803`6876317a : fffff509`580b6501 fffff509`580b64e0 fffff509`00000002 ffffce05`a14afc48 : ndis!ndisDataPathExpandStackCallback+0x3e
fffff509`580b63e0 fffff803`687630dd : fffff80c`12661010 fffff509`580b64e0 ffffce05`a1e9d030 00000000`00000002 : nt!KeExpandKernelStackAndCalloutInternal+0x8a
fffff509`580b6440 fffff80c`126ba74d : 00000000`c8f08d80 00000000`00000073 00000000`00000000 ffffce05`a1e9d1b0 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff509`580b6480 fffff80c`1268b3ce : 00000000`00000002 ffffce05`a1e9d030 00000000`00000001 00000000`00000000 : ndis!ndisInvokeNextReceiveHandler+0x235
fffff509`580b6550 fffff80c`126686df : ffffce05`9eadc620 ffffce05`a1e9d030 00000000`00000000 00000000`00000001 : ndis!ndisFilterIndicateReceiveNetBufferLists+0x22cce
fffff509`580b6620 fffff80c`137c5ff7 : ffffce05`a1423000 ffff9ae0`66c98933 ffffce05`a1423000 fffff80c`12677250 : ndis!NdisFIndicateReceiveNetBufferLists+0x3f
fffff509`580b6660 fffff80c`12663907 : ffffce05`a1423000 fffff509`580b6881 fffff80c`12661010 ffffce05`a14af8f0 : npcap+0x5ff7
fffff509`580b66c0 fffff80c`1266104e : ffffce05`a10af080 fffff80c`127ca17f fffff509`580b1000 fffff509`580b8000 : ndis!ndisCallReceiveHandler+0x47
fffff509`580b6710 fffff803`6876317a : fffff509`580b6881 fffff509`580b6860 ffffce05`00000002 00000000`00000000 : ndis!ndisDataPathExpandStackCallback+0x3e
fffff509`580b6760 fffff803`687630dd : fffff80c`12661010 fffff509`580b6860 ffffce05`a1e9d030 00000000`00000002 : nt!KeExpandKernelStackAndCalloutInternal+0x8a
fffff509`580b67c0 fffff80c`126ba74d : 00000000`00000000 fffff509`580b6900 ffffce05`a1e9d030 fffff80c`14d2bff7 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff509`580b6800 fffff80c`1268b3ce : 00000000`00000002 ffffce05`a1e9d030 00000000`00000001 ffffce05`a0ff7690 : ndis!ndisInvokeNextReceiveHandler+0x235
fffff509`580b68d0 fffff80c`126686df : ffffce05`9eaac4f0 ffffce05`a1e9d030 ffffce05`00000000 00000000`00000001 : ndis!ndisFilterIndicateReceiveNetBufferLists+0x22cce
fffff509`580b69a0 fffff80c`12a81177 : 00000000`00000002 fffff509`580b6b00 00000000`00000002 00000000`00000000 : ndis!NdisFIndicateReceiveNetBufferLists+0x3f
fffff509`580b69e0 fffff80c`12663907 : 00000000`00000000 00000000`00000000 00000000`00000000 fffff803`6874abfe : wfplwfs!LwfLowerRecvNetBufferLists+0x167
fffff509`580b6b40 fffff80c`1266104e : ffffce05`a10af080 00000000`00000001 fffff509`580b1000 fffff509`580b8000 : ndis!ndisCallReceiveHandler+0x47
fffff509`580b6b90 fffff803`6876317a : fffff509`580b6d80 fffff509`580b6dd8 fffff509`00000002 fffff803`686f2b41 : ndis!ndisDataPathExpandStackCallback+0x3e
fffff509`580b6be0 fffff803`687630dd : fffff80c`12661010 fffff509`580b6dd8 00000000`000045ed ffffce05`9eaac4f0 : nt!KeExpandKernelStackAndCalloutInternal+0x8a
fffff509`580b6c40 fffff80c`12688cdf : fffff7cc`800006a0 00000000`00000ad0 ffffce05`a13e7880 00000000`00000000 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff509`580b6c80 fffff80c`154d4a05 : 00000000`00000000 ffffce05`a1e9d030 ffffce05`a2234ba0 00000000`00001001 : ndis!NdisMIndicateReceiveNetBufferLists+0x269ff
fffff509`580b6e90 fffff80c`154dcce6 : ffffce05`a0ae9010 fffff509`580b6f60 ffffce05`a1e9d030 00000000`0000fedc : ndiswan!NdisWanIndicateLoopbackPacket+0x17d
fffff509`580b6ef0 fffff80c`154d6d20 : ffffce05`9eab9d02 ffffce05`9eabe010 ffffce05`a15a1b60 fffff803`6898f32e : ndiswan!ApplyQoSAndQueueSend+0x112
fffff509`580b6fa0 fffff80c`12665b53 : 00000000`00000000 ffffce05`9eab9d02 00000000`00000000 ffffce05`a126b1a0 : ndiswan!MPSendNetBufferListChain+0x160
fffff509`580b6fe0 fffff80c`12665a3e : 00000000`00000001 ffffce05`a2234ba0 ffffce05`a2234ba0 ffffce05`a0fc44c0 : ndis!ndisMSendNBLToMiniportInternal+0x103
fffff509`580b70a0 fffff80c`12665996 : 00000000`00000000 fffff509`580b72d0 00000000`00000000 00000000`00000000 : ndis!ndisMSendNBLToMiniport+0xe
fffff509`580b70e0 fffff80c`126672c1 : ffffce05`a2234ba0 00000000`00000000 00000000`00000000 ffffce05`9f58da50 : ndis!ndisInvokeNextSendHandler+0x46
fffff509`580b71b0 fffff80c`12a815aa : ffffce05`00000000 ffffce05`9eab0bc1 ffffce05`00000000 ffffce05`9eadcc01 : ndis!NdisFSendNetBufferLists+0x101
fffff509`580b7260 fffff80c`12661964 : ffffffff`ffffffff 00000000`00000002 ffffce05`a2235ef0 00000000`00000000 : wfplwfs!LwfLowerSendNetBufferLists+0x15a
fffff509`580b73a0 fffff80c`1266104e : 00000000`000000e9 fffff803`686bd940 00000000`00000000 fffff803`686348b1 : ndis!ndisCallSendHandler+0x44
fffff509`580b73f0 fffff803`6876317a : fffff509`580b7559 fffff509`580b7540 ffffce05`9f000000 00000000`00000000 : ndis!ndisDataPathExpandStackCallback+0x3e
fffff509`580b7440 fffff803`687630dd : fffff80c`12661010 fffff509`580b7540 00000000`00000000 ffffce05`9eaac4f0 : nt!KeExpandKernelStackAndCalloutInternal+0x8a
fffff509`580b74a0 fffff80c`12665a19 : 0007a108`00000000 ffffce05`00000000 00000000`00000000 ffffce05`9f000000 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff509`580b74e0 fffff80c`126672c1 : 00000000`00000000 00000000`00000000 00000000`c8f08c78 00000000`00000000 : ndis!ndisInvokeNextSendHandler+0xc9
fffff509`580b75b0 fffff80c`137c7331 : 00000000`00000000 ffffce05`9eadd6a1 ffffce05`00000000 ffffce05`a1f35500 : ndis!NdisFSendNetBufferLists+0x101
fffff509`580b7660 fffff80c`137c4c20 : ffffce05`510b3f20 ffffce05`a0ae9000 00000000`00023566 00000000`20206f01 : npcap+0x7331
fffff509`580b76f0 fffff803`6873ce69 : 7fffffff`ffffffff ffffce05`a1dae010 ffffde0a`1fe6c710 00000000`00000000 : npcap+0x4c20
fffff509`580b7780 fffff803`68ba0fdb : ffffce05`a1dae010 fffff509`580b7b00 00000000`00000001 00000000`00000001 : nt!IofCallDriver+0x59
fffff509`580b77c0 fffff803`68ba068a : ffffce05`00000000 ffffce05`a1dae010 00000000`20206f49 fffff509`580b7b00 : nt!IopSynchronousServiceTail+0x1ab
fffff509`580b7870 fffff803`68ba0e16 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x68a
fffff509`580b79a0 fffff803`6885e743 : ffffffff`ffffffff 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
fffff509`580b7a10 00007ffe`877daa84 : 00007ffe`84632766 0000004f`d597f108 000001e0`70ec4d57 00000000`00000300 : nt!KiSystemServiceCopyEnd+0x13
0000004f`d597f0e8 00007ffe`84632766 : 0000004f`d597f108 000001e0`70ec4d57 00000000`00000300 00007ffe`6e607000 : ntdll!NtDeviceIoControlFile+0x14
0000004f`d597f0f0 00007ffe`86f83d30 : 00000000`00002349 0000004f`d597f250 00000000`00000000 00000000`ce000ac4 : KERNELBASE!DeviceIoControl+0x66
0000004f`d597f160 00007ffe`6f38590e : 00000000`00000001 000001e0`70d70000 00000000`00000001 00000000`00023566 : KERNEL32!DeviceIoControlImplementation+0x80
0000004f`d597f1b0 00000000`00000001 : 000001e0`70d70000 00000000`00000001 00000000`00023566 00000000`00000000 : packet!PacketSendPackets+0x9e
0000004f`d597f1b8 000001e0`70d70000 : 00000000`00000001 00000000`00023566 00000000`00000000 00007ff7`00000000 : 0x1
0000004f`d597f1c0 00000000`00000001 : 00000000`00023566 00000000`00000000 00007ff7`00000000 0000004f`d597f240 : 0x000001e0`70d70000
0000004f`d597f1c8 00000000`00023566 : 00000000`00000000 00007ff7`00000000 0000004f`d597f240 00000000`00000000 : 0x1
0000004f`d597f1d0 00000000`00000000 : 00007ff7`00000000 0000004f`d597f240 00000000`00000000 00007ffe`00048c89 : 0x23566


STACK_COMMAND:  kb

THREAD_SHA1_HASH_MOD_FUNC:  6950c1490f93e61867ed27d452a5ba04b94696e0

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  3c3225e945c55ebde5765bf575c54022f3c197ac

THREAD_SHA1_HASH_MOD:  ea9d19ccd33e17c9ae72d77a59b8e7c1a0615408

FOLLOWUP_IP: 
wanarp+11aa
fffff80c`154611aa f0ff4760        lock inc dword ptr [rdi+60h]

FAULT_INSTR_CODE:  6047fff0

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  wanarp+11aa

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: wanarp

IMAGE_NAME:  wanarp.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  42955ba7

BUCKET_ID_FUNC_OFFSET:  11aa

FAILURE_BUCKET_ID:  AV_wanarp!unknown_function

BUCKET_ID:  AV_wanarp!unknown_function

PRIMARY_PROBLEM_CLASS:  AV_wanarp!unknown_function

TARGET_TIME:  2019-04-23T19:42:07.000Z

OSBUILD:  17134

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2018-12-31 22:44:13

BUILDDATESTAMP_STR:  180410-1804

BUILDLAB_STR:  rs4_release

BUILDOSVER_STR:  10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME:  9683

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_wanarp!unknown_function

FAILURE_ID_HASH:  {22ef279d-c015-9fef-fb84-0354b871a8bf}

Followup:     MachineOwner
---------

[gvanem]

FAULTING_IP:
wanarp+11aa

How is this Npcap's fault?
wanarp.sys is Microsoft's MS Remote Access and Routing ARP Driver.

Besides windump decodes frame 1 + 2 fine. But the remaining 9030 frames are parsed as junk:
[Invalid header: caplen==0, len==0]

[r0t0tiller]

I am going to do more analysis on this. Feel free to close.

[dmiller-nmap]

This is very likely the same issue as #1398, caused by using pageable memory for network data. When it is paged out, the MDL becomes junk, causing crashes in downstream drivers. This issue will be solved in the next release.

[dmiller-nmap]

#1398 was fixed in Npcap 0.993. If you experience this same crash with a later version of Npcap, please open a new issue or comment here and we will re-evaluate.